Site Mobile Navigation

Gadgets Bring New Opportunities for Hackers

Adrian Turner, chief of Mocana, a security company, says device makers are rushing products.Credit
Peter DaSilva for The New York Times

Researchers at Mocana, a security technology company in San Francisco, recently discovered they could hack into a best-selling Internet-ready HDTV model with unsettling ease.

They found a hole in the software that helps display Web sites on the TV and leveraged that flaw to control information being sent to the television. They could put up a fake screen for a site like Amazon.com and then request credit card billing details for a purchase. They could also monitor data being sent from the TV to sites.

“Consumer electronics makers as a class seem to be rushing to connect all their products to the Internet,” said Adrian Turner, Mocana’s chief executive. “I can tell you for a fact that the design teams at these companies have not put enough thought into security.”

Mocana and firms like it sell technology for protecting devices and often try to publicize potential threats. But the Mocana test also illustrates what security experts have long warned: that the arrival of Internet TVs, smartphones and other popular Web-ready gadgets will usher in a new era of threats by presenting easy targets for hackers.

As these devices become more popular, experts say, consumers can expect to run into familiar scams like credit card number thefts as well as new ones that play off features in the products. And because the devices are relatively new, they do not yet have as much protection as more traditional products, like desktop computers, do.

“When it comes to where the majority of computing horsepower resides, you’re seeing a shift from the desktop to mobile devices and Web-connected products, and inevitably, that will trigger a change in focus within the hacking community,” said K. Scott Morrison, the chief technology officer at Layer 7 Technologies, which helps companies manage their business software and infrastructure. “I really do believe this is the new frontier for the hacking community.”

To combat the threat, security companies have been pushing to develop new protection models. They are promoting items like fingerprint scanners and face recognition on devices, and tools that can disable a device or freeze its data if an attack is reported. But so far, such security measures have largely failed to reach the mainstream.

Enrique Salem, the chief executive at Symantec, which makes antivirus software frequently installed on PCs, said it was unlikely that his company would produce the same kind of software for all of the new products. Such software can require a fair amount of computing muscle, which would put too much burden on devices that lack the oomph and battery life of traditional computers.

And second, the attacks that Symantec and others have seen on the devices are so new that they will require a fresh approach, he said.

“With something like Android, it’s a different type of threat and it functions differently,” Mr. Salem said.

Symantec will focus on fingerprint scanners and other personal identifiers to devices, Mr. Salem said.

The company also hopes to use features in the devices to help with protection. For example, if someone logs in to a computer from Florida, but location-tracking data says that the person’s phone is in Texas, then an application might ask a security question.

Another goal is to let consumers report a possible security problem and get their data locked down or erased remotely until the problem is cleared up. “You want that ability to wipe the data away if a device is lost,” Mr. Salem said.

The chip maker Intel recently bought Symantec’s main security technology rival, McAfee, for $7.7 billion. Intel executives say they plan to build some of McAfee’s technology into future chips that will go into mobile phones and other newer devices.

Cellphones have been connected to the Web for years, but for much of that time, they tended to have tightly controlled, limited software and other constraints that made it difficult for hackers to do much damage. Attackers continued to find easier targets, and a larger pool of potential victims, by going after PCs running Microsoft Windows and other popular Web software.

An error has occurred. Please try again later.

You are already subscribed to this email.

But these days, smartphones have many more capabilities. And smartphone shipments have hit a critical mass that makes them worth a hacker’s while.

Also, Apple, Google, Nokia and others are in a race to fill their online mobile software stores applications. These companies have review mechanisms that try to catch malicious software, but the volume of new apps coupled with hackers’ wile make it difficult to catch every bad actor.

With Android, in particular, Google has fostered a vibrant and chaotic smartphone platform in which companies of various shapes, sizes and standards have rushed out devices and complementary applications. Unlike Apple, Google does not approve applications one by one.

Instead, it asks software makers to state what phone functions their applications tap into and to present that information to consumers. People can then decide if they are willing to download the application, and they can post online reviews for the software.

A Google spokesman said that the company expected consumers to perform this type of self-policing and added that Google quickly investigated applications that received complaints.

Still, there is a Wild West vibe to the smartphone market these days as smaller, unproven manufacturers have followed the likes of Apple, Nokia and Motorola in making smartphones.

“The good smartphones have been pretty well designed,” said Mr. Morrison of Layer 7 Technologies. “The problem now is the flood of secondary phones that bring interesting diversity and also open up holes for hackers.”

Security companies have issued repeated warnings that hackers have already started to capitalize on the application stores. The companies also caution that and hackers have discovered fake programs that try steal passwords or make expensive phone calls.

Jimmy Shah, a mobile security researcher at McAfee Labs, said the company had run into so-called smishing attacks, a variation on phishing, in which someone is sent a deceptive text message that appears to have come from a bank or a retailer. Often, the message will ask the person to call a customer support line, at which point the attackers try to coax valuable information from the victim.

Mr. Morrison said another concern was that hackers would concentrate on trying to run up people’s phone bills or find ways to tap into the location-tracking services tied to phones.

“It is like a stalker’s dream,” he said.

The flood of Web-enabled devices hitting the market, like the one the Mocana researchers hacked into, may be a more immediate threat.

Mr. Turner of Mocana said the maker of that television had left crucial bits of information about its security credentials and those of third parties in an easy-to-reach spot, meaning that a hacker could infiltrate some of the data exchanged between companies providing commerce services for the TV.

Mocana has notified the TV maker of the issues and has declined to reveal the company’s identity in a bid to thwart hackers. Mr. Turner would say it was one of the five best-selling Web-ready HDTVs.

“The things we found were mistakes that an inexperienced device designer would make when connecting something to the Internet for the first time,” Mr. Turner said.

A version of this article appears in print on December 27, 2010, on Page B1 of the New York edition with the headline: For Hackers, Bait In New Era of Devices. Order Reprints|Today's Paper|Subscribe